HackTool - GMER Rootkit Detector and Remover Execution

About the rule

Rule Type

Standard

Rule Description

Detects execution of GMER, a rootkit detection and removal utility, based on known image names and cryptographic hashes. GMER scans for hidden processes, modules, services, files, registry modifications, kernel hooks, and other rootkit indicators. This detection also covers usage of GMER-related loaders and suspicious command-line parameters involving process dumping and memory captures.

Severity

Trouble

Rule journey

Attack chain scenario

Discovery (T1083) → Defense Evasion (T1562) → Impact (Varies)

Impact

Detection of rootkit scanning and removal activities, potentially indicating either attacker attempts to detect or disable security monitoring or defender activities in response to suspected rootkits.

Rule Requirement

Prerequisites

Using Windows Event Viewer

1. Log in to a domain controller as a domain admin.
2. Open Group Policy Management Console (GPMC) by typing gpmc.msc in the Run dialog.
3. Create a new GPO or edit an existing one linked to the target OU.
4. Navigate to:
   Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Detailed Tracking
5. Right-click on Audit Process Creation, choose Properties, check Configure the following audit events, and select Success. Click OK.
6. Do the same for Audit Process Termination.
7. Navigate to:
   Computer Configuration → Administrative Templates → System → Audit Process Creation
8. Double-click Include command line in process creation events, select Enabled, and click OK.
9. Ensure this registry path exists:
   Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Security-Auditing\Operational

Using Sysmon

1. Download and install Sysmon from Microsoft Sysinternals.
2. Open Command Prompt with administrator privileges.
3. Create or use a Sysmon configuration file that includes process creation monitoring.
4. Install Sysmon with the configuration using: sysmon.exe -i config.xml
5. In your configuration file, include process creation events by defining a rule for ProcessCreate.
6. Ensure this registry path exists:
   Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Sysmon\Operational

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

1. T1083 – File and Directory Discovery
2. T1562 – Impair Defenses
3. (Impact phase may vary depending on context; not always mapped)

Security Standards

Not specifically defined for this rule but process creation auditing and command-line capture are standard monitoring practices.

Author

Nasreddine Bencherchali (Nextron Systems)

Future actions

Known False Positives

Unlikely due to specific hashes and executable names targeted.

Next Steps

• Investigate all occurrences of gmer.exe and related loaders.
• Confirm legitimacy of GMER usage; verify if initiated by authorized security teams or potentially adversary activity.
• Review relevant process command-line arguments related to dumping or memory capture for suspicious behavior.
• Enhance endpoint visibility and logging for rootkit detection and removal activities.
• Conduct forensic analysis if unauthorized or suspicious rootkit detection/removal attempts are observed.

Mitigation